The NCSC wants you to start using password managers and passkeys – here’s how to choose the best options

The National Cyber Security Centre (NCSC) has published guidance recommending the use of password managers and passkeys, insisting that the latter are the “future of authentication”.

In a blog post outlining the advantages of both, the cybersecurity agency noted that first-party, browser-based password managers can be a handy tool for users due to their deep integration with a platform’s security.

Browsers such as Chrome, Safari, Edge, and Firefox all offer built-in password management capabilities, making them a convenient option for users.

Dedicated password management platforms are also a viable option. Notably, the agency said that long-standing services will probably have only survived due to their strong attention to security practices.

It’s worth noting that there have been issues with password managers in recent years, with high-profile breach incidents denting consumer confidence.

So what makes password managers safe and secure? According to the NCSC, password data is stored securely either by using “device features like security chips, or encryption, or both”.

“Many first-party and third-party password managers now use fingerprint or facial recognition before revealing passwords,” the agency added.

A passkey, meanwhile, is a new standard developed and supported by tech giants like Apple, Google, and Microsoft, offering a passwordless login technology based on public-key cryptography.

Instead of a password, the device creates a pair of complex secrets for each website the user signs up to, keeping one secret and giving the other to the website at the time of sign-up.

Because the key pair combination is unique, the passkey will only work on the website or app it was created for.

When the user logs in, the device checks that it is the right person through whatever means is usually used to unlock it, and can then prove to the website that it has the device secret, without actually revealing the secret itself.

“Because this happens so quickly, it’s often eight times faster than logging in with a username, password and two factor code, whilst being more secure,” said the NCSC.

“Passkeys are rolling out fast. Websites like Google, eBay, and PayPal already support them. They’re easy to use, hard to compromise, and eliminate password fatigue.”

Choosing your options

First and foremost, the NCSC said it is important to consider a company’s reputation when choosing tools such as these.

ITPro has a comprehensive list of password managers that both individuals and businesses can choose from below.

While these tools provide convenience, users are still urged to follow best practices in terms of cyber hygiene and awareness. The agency advised users to make sure they run updates, use biometric locks, and backup recovery options.

For example, this could include using recovery keys or trusted contacts.

“Don’t be afraid to adopt new security practices like passkeys – they’re easier and it’s where the internet is headed,” the agency added.

Greg Wetmore, vice president of product development at Entrust, echoed the NCSC’s stance on passkeys, claiming that they’re a game changer from a cybersecurity perspective.

Passwords are easy to breach, he noted, and often challenging to remember, with research indicating that more than half of people have to reset their password once a month because they can’t remember it.

“Creating a unique, secure password is difficult to achieve for each account, with the average person having 170 passwords. Passkeys provide an excellent technical response to the problems with passwords,” he said.

“Perhaps the most important security attribute of passkeys is that they are phishing resistant. An attacker cannot steal your passkey and subsequently use it to access your online account. The NCSC are right; It’s time to move from passwords to password managers and passkeys.”

MORE FROM ITPRO